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INTRODUCTION 


Since 2000, the Network Advertising Initiative (NAI) has been a leading self-regulatory 
body governing “third parties” engaged in Interest-Based Advertising (IBA)' and Ad 
Delivery and Reporting (ADR) in the United States, based on its Code of Conduct.’ 

In 2016, the NAI also began regulating Cross-App Advertising (CAA)* by enforcing its 
Mobile Application Code. The Mobile Application Code was incorporated into the 2018 
NAI Code of Conduct (Code), which covers both web-based and mobile application- 
based data collection and use for digital advertising purposes. This edition of the Code, 
enforced as of January 1, 2018, also created a new term, Personalized Advertising, to 
collectively encompass IBA, CAA, and Retargeting.° At the time of this publication, 

the NAI has 103 member companies. These NAI members include a wide range of 
businesses such as ad networks, exchanges, platforms,data aggregators, and other 
technology providers.® Across websites and mobile applications, these intermediaries 
form the backbone of the digital advertising ecosystem — helping advertisers reach 
audiences most likely to be interested in their products and services while allowing 
consumers to receive ads that are relevant to their interests. This relevant advertising, 
in turn, continues to power free content and services in the digital ecosystem, 


including websites and mobile applications.’ 
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AD TECH INDUSTRY AND NAI MEMBERS 


[ Data Broker / Data Aggregator | 


Helps Advertisers Supplement Data with Additional Targeting Criteria Such as Demographic Information 
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Helps Advertisers Manage and Organize Consumer Data and Preferences 


[ Audience or Data Management Platform (AMP/DMP) ] 


[NAI Members 


NAI members provide the processes and technologies that ensure advertisers are spending their marketing dollars 
effectively while compensating content providers so that many websites and applications can remain free to users. 


Member companies work together with NAI staff to help craft stringent yet practical 
guidelines for data collection and use in connection with Personalized Advertising and ADR. 
This process also results in periodic updates to NAI Code and Guidance documents to keep 
pace with evolving technologies and digital advertising business models. Ultimately, the goal 
of the NAI is to maintain consumer trust by protecting consumer privacy while enabling 
member companies to provide a relevant digital advertising experience. The NAI helps its 
members foster this trust through a comprehensive self-regulatory program that includes the 
Code and NAI Guidance, backed by robust compliance, enforcement, and sanctions. 


During the 2018 compliance period, NAI staff reviewed eligible members’ compliance with 
the Code. This report provides a summary of the NAI’s work in 2018 as well as staff's findings 
from the 2018 compliance review. This report is intended to provide consumers, regulators 
and others with visibility into the NAlI’s compliance program and self-regulatory process. In 
addition, this report helps illustrate how the compliance process shapes the evolution and 
goals of the NAI's policies and procedures, to ensure that the NAI continues to offer a vibrant 
self-regulatory program that responds to new issues and technologies in a practical way that 
continues to be highly relevant amidst marketplace changes. 
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2018: 
THE YEAR 
IN REVIEW 


The NAI’ self-regulatory program continues to develop and progress along 


with the advertising technology ecosystem and the privacy field more broadly. 
Each year the NAI sets forth its goals for the following year, and for 2018 the NAI 
pledged to: (1) begin enforcement of the 2018 NAI Code of Conduct; (2) publish 
Guidance relating to the collection and use of data on connected televisions; 

(3) work with members and industry stakeholders to reexamine terminology in 
the Code while working on the development of a thoroughly revised Code of 
Conduct, intended to incorporate the use of “offline” or Customer-Relationship 
Management (CRM) data; and (4) continue improvement of its technical 


monitoring suite. 
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In 2018, 11 new member companies were approved 


by the NAI Board of Directors. 


The NAI began its enforcement of the 2018 Code of Conduct in January of 2018, helping to 
ensure that all members were in a good position to comply with the Code during the course 
of the year. The NAI published its “Guidance for NAl Members: Viewed Content Advertising,” 
in July of 2018, bringing its self-regulatory efforts to the television space.’ The NAI Board 

and NAI staff dedicated extensive time in 2018 to draft a new Code of Conduct for a new 
decade of digital advertising, culminating in a thoroughly reworked Code of Conduct that 
encompasses new business models and marketing strategies, including the use of “offline” 
data by advertisers. This 2020 NAI Code of Conduct,’ which the NAI published in May of 2019, 
also reexamines much of the terminology used by the NAI and introduces numerous new 
concepts. The 2020 Code of Conduct is scheduled to go into effect on January 1, 2020. The 
NAI further revamped its technical monitoring tools to streamline its analysis methods and to 
better prepare for monitoring of the NAI opt-out page in 2019. 


NAI compliance staff began enforcement of the 2018 Code of Conduct on January 1, 2018. 


Throughout 2018, NAI staff worked on the completion of an overhaul of its technical 
monitoring tools to dramatically improve functionality as well as to provide more consistent 
results and metrics. While the NAI continues to refine these tools, this work has already 

led to a more dependable view of members’ activities and the availability of Opt-Out 
Mechanisms on the NAI website. 


a; | 


co ANNUAL 
S REPORT 


O—————— eM 


2018 NAI ACTIVITY 


New Member 


Companies 


New Educational 
Materials 


Sixth Member 
Summit 


NALS 


2018 Code 
of Conduct 
Enforced 


Testimony 
at TC 
Hearings 


NAI staff worked with members and other 
industry stakeholders to monitor technical 
and policy developments in the connected 
television space. The information gleaned 
from this process resulted in the NAI’s 
publication of Guidance for NAI Members: 
Viewed Content Advertising, in July of 
2018. 


The NAI hosted its sixth annual Summit in 
2018, bringing this one-of-a-kind industry 
event to Miami for the first time. This 
annual event provides member companies 
with an opportunity to join robust 
discussion about the latest technologies, 
regulatory and legislative trends, and 
emerging business models. The 2018 
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Expanded 
Public Policy 
Outreach 


Guidance 
for Data Collection 
and use on 
Connected TVs 


Summit included timely discussions about 
consumer perspectives on data privacy, the 
nature of personal information, connected 
televisions, and other relevant topics which 
inform NAI members’ behavior in the 
marketplace. 


Eleven new members joined the NAI 

in 2018. This strong interest in NAI 
membership demonstrates that effective 
self-regulation continues to be a vital 
component in building trust not only 
between the advertising technology 
industry and consumers, but also between 
member companies and service providers, 
publishers, and advertisers. 


PUBLIC POLICY 


2018 saw the General Data Protection 
Regulation (GDPR)'° come into force, 
dramatically changing the way NAI 
members and other digital advertising 
businesses operate across Europe. This 
year also marked the enactment of the 

first comprehensive U.S. state privacy 
legislation, the California Consumer Privacy 
Act (CCPA)." 


The NAI greatly expanded its public 
policy efforts in 2018 by hiring additional 
staff, including a new Vice President for 
Public Policy. This investment in staffing 
and expertise allowed the NAI to engage 
with legislators and regulators on a far 
more frequent basis to exchange ideas 
and information about the intricacies of 
digital advertising, the most pressing 
privacy concerns in this area, and how 
self-regulation can provide a foundation 
and become an essential complement 

to new regulations. Highlights from 2018 
included NAI Board member testimony 

at a congressional hearing on digital 
advertising,’ the development of detailed 
educational materials about digital 
advertising, and NAI staff conducting 
multiple advertising technology briefings for 
policymakers and privacy thought leaders. 


Over the past year the NAI became a 
leading voice for the advertising industry 
and third-party advertisers, in promoting a 
new federal privacy framework. As part of 
its efforts in this space, the NAI submitted 
detailed comments to the Department of 
Commerce and held a series of meetings 
on Capitol Hill to help cultivate support 
for federal legislation that balances 
consumer privacy with consumer benefits 
of responsible digital advertising. The 
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NAI also played a leadership role in the 
Fedreal Trade Commission (FTC)'s efforts 
to inform and shape the national privacy 
debate, submitting detailed comments 
and providing testimony by NAI President 
& CEO, Leigh Freund, on behalf of the 
industry in support of self-regulation.'° 

On the state level, the NAI increased 

its advocacy efforts to support multiple 
amendments to the CCPA, aimed at 
providing additional clarity for businesses 
and highlighting some provisions in the 
act that could potentially impede the 
privacy-protective practices long promoted 
by the NAI and its members. As part of this 
process, the NAI also engaged with the 
office of the California Attorney General in 
support of additional flexibility and clarity 
in implementing regulations. 


In Europe, the NAI participated in 
dialogues with European policymakers 
on behalf of its members and took 

a leadership role in the continued 
development of the Transparency and 
Consent Framework (TCF) promulgated 
by the Internet Advertising Bureau in the 
European Union." 


The common objective in all of the NAI’s 
public policy efforts was to promote 
policies that ensure strong consumer 
privacy protections, but also enable 
thriving and vibrant digital content 

that is supported by innovative digital 
advertising solutions. Further, the NAI 
has continued to advocate for a key 

role for self-regulation as a means of 
supplementing and enhancing state and 
federal legislation, and a method for 
companies that participate in such self- 
regulatory efforts to demonstrate their 
compliance with legislative and regulatory 
requirements. 
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THE NAI 
COMPLIANCE 
PROGRAM 


JOINING THE NAI: COMPLIANCE BEGINS BEFORE MEMBERSHIP 


Companies interested in NAl membership cannot simply join the NAI; they 
must commit to compliance with the Code. Compliance efforts begin even 
before a company becomes a member. At least two members of NAI staff with 
legal and technological expertise evaluate each applicant's business model and 
privacy practices. These reviews focus on the applicant's responses to the NAI 
application questionnaire, the company’s privacy disclosures, and information 
regarding the company’s data collection, use, retention, and sharing practices, 
to ensure those practices are consistent with the Code. Additionally, an NAI 
technologist evaluates the applicant's consumer choice mechanisms and data 
collection practices. NAI staff then conducts interviews with high-level employees 
at the company, asking further detailed questions, including those aimed at 
resolving potential discrepancies identified based on the application materials, 


or business practices that may be inconsistent with the Code. 


O—————— 


An applicant that wishes to complete the application 
process must work with NAI staff to help bring its 
relevant services and products into a position to 
comply with the Code. NAI staff evaluates each 
applicant's practices and disclosures, highlighting 
those that need to be addressed before the company 
can become a member of the NAI. Though some 
companies attain membership within a few weeks, 
for others, the initial qualification assessment can 

be a months-long process, with the NAI providing 
guidance and suggestions about compliance along 
the way. As a result of the NAI application review 
process, many applicants make substantial revisions 
to their public privacy disclosures in order to provide 
the full level of notice required by the Code. Typically, 
NAI staff provides technical guidance to help an 
applicant develop an Opt-Out Mechanism’ that is 
capable of meeting the Code’s requirements and to 
ensure compatibility with the NAI opt-out page. At 
times, applicants have abandoned or dramatically 
revised entire lines of business that did not, or could 
not, meet the requirements of the Code.'* 


Once this pre-membership review is completed, NAI 
staff submits a recommendation for membership to 
the Membership Subcommittee of the NAI Board 

of Directors, followed by the full Board. The NAI 
Board of Directors comprises seasoned attorneys and 
compliance executives from up to fourteen leading 
member companies. The Membership Subcommittee 
of the Board reviews each application, often 
requesting additional information from an applicant, 
before recommending acceptance of a new member 
to the full Board. Therefore, each potential member is 
reviewed first by NAI staff, second by the Membership 
Subcommittee, and finally by the full NAI Board. This 
review process helps establish that an applicant has 
administrative, operational, and technical capabilities 
that can comply with the requirements of the Code 
before the company is admitted to the NAI. 


In 2018, eleven companies" completed the 
application process and were approved for 
membership by the Board. 
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At the close of the 2018 
compliance review period, 
the NAI Board consisted of: 


Douglas Miller, Chairman, NAI Board of 
Directors; Vice President and Global Privacy 
Leader, Oath Inc. 


Ted Lazarus, Vice-Chairman, NAI Board of 
Directors: Director, Legal, Google 


Ari Levenfeld, Secretary, NAI Board of Directors: 
Chief Privacy Officer, Sizmek 


Julia Shullman, Treasurer, NAI Board of 
Directors; Vice President, Chief Privacy Counsel, 
AppNexus 


Jason Bier, EVP General Counsel & Chief Privacy 
Officer, Engine Media 


Michael Blum, Chief Legal Officer, Quantcast 


Kevin Ching, Senior Vice President, Product and 
Data Strategy, NinthDecimal 


Ken Dreifach, Shareholder, Zwillgen, on behalf 
of AdRoll 


Rachel Glasser, Chief Privacy Officer, 
Wunderman 


Brad Kulick, Senior Director of Privacy, Yahoo! 


Alice Lincoln, Vice President of Data Policy & 
Governance, MediaMath 


Tia Link, Senior Legal Counsel, Xaxis 


Daniel Shore, Director, Privacy Counsel, 
Conversant 
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MONITORING OF MEMBERS 


NAI Technical Monitoring 


Once companies demonstrate their One of the main benefits of these 

mus edd omens ewe automated monitoring tools is its ability to 
cic eee A E help NAI Staff spot and remedy potential 

as they maintain their membership. problems quickly, thus enabling the NAI to 


One way the NAI helps facilitate this 
process, even in between the annual 


address potential concerns with members 
before they become widespread. 


NAI compliance reviews, is through 
its automated monitoring suite which 


includes a Privacy Disclosures Scanner 
that allow staff to flag potential issues 
for review or investigation. The NAI monitoring suite is under continuous development and 
was further revised in 2018 to provide improved stability and functionality. 


One of the main benefits of these automated monitoring tools is its ability to help NAI staff 
spot and remedy potential problems quickly, thus enabling the NAI to address potential 
concerns with members before they become widespread and affect large numbers of 
consumers. One of the issues the monitoring tools flags relates to revisions of privacy policies. 
Once an issue is flagged through the monitoring tools, NAI staff promptly reviews the 
situation. Upon further review, NAI staff typically confirmed that these flags did not actually 
involve violations of the Code. A common example is that of a flag that may have been raised 
when a privacy policy appeared to be inaccessible, though further investigation demonstrated 
that the disclosures in question had been moved to a different URL and continued to be 
accessible to consumers. 


As in prior years, on a number of occasions the NAI’s monitoring tools flagged actionable 
issues that might have resulted in violations of the Code if left unaddressed. For example, 
several NAI members were acquired by or merged with other companies, resulting in changes 
to their privacy disclosures. In other cases, members’ privacy policy links were accidentally 
removed, or were not moved to new domains during a rebrand. Such issues were generally 
spotted by NAI staff very rapidly and resolved by member companies shortly after notification. 
None of these instances were considered to rise to the level of material non-compliance 

with the Code because the underlying issues were resolved quickly, were found to be 
unintentional, and affected a limited number of consumers. Additionally, where applicable, 
NAI staff suggested methods through which members could prevent such issues from 
recurring in the future. 
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Web-based Opt-Out Testing 


The NAI administers ongoing reviews of member opt outs through routine manual checks of 
the NAI's opt-out page followed by more in-depth analysis relying on technical tools. An NAI 
staff member routinely verifies that the NAI opt-out page continues to function as expected, 
and follows up with an in-depth network analysis. Although problems were rare, the majority 
of issues investigated in 2018 were the result of connection speeds. Each member company, 
when integrating for the first time with the NAI opt-out page, has its own configuration 

checked and tested by NAI staff, which prevents many issues prior to live deployment. 


Additionally, the NAI monitors and reads consumer emails received regarding specific 
functionality issues that may be difficult to identify with in-house testing, such as temporary 
malfunctions on load-balancing servers that affect only certain regions of the United States. 


This multi-faceted approach aims to promptly identify and address most potential problems 
with member Opt-Out Mechanisms. The combination of monitoring, daily manual testing, 
and review of consumer communications helps the NAI and its members limit opt-out 
downtime and to resolve opt-out issues before they result in non-compliance with the Code. 


Privacy Disclosures Scanner 


The NAI Privacy Disclosures Scanner scans member companies’ web pages for privacy policy 
and other disclosure modifications, as well as errors in accessing those pages. These scans 
help NAI staff identify a variety of potential compliance issues, including incomplete or 
missing disclosures and broken links or 


non-conforming Opt-Out Mechanisms. 
NAI staff works with members to 


ee ee ener | ene eer em In 2018, the NAI Privacy Disclosures Scanner 
monitored over 340 pages for changes that 


The Privacy Disclosures Scanner helps 


bring riumerous business model could affect member compliance with NAI 


changes to the attention of NAI staff, disclosure requirements. 
such as new products offered by NAI 


member companies, and acquisitions 

of new brands and business lines. 

Because disclosures in privacy policies usually occur in anticipation of the launch of a new 
product, spotting these changes allows NAI staff to help members evaluate how existing 
requirements under the Code apply to these new products and offerings. This knowledge, 
in turn helps the NAI further optimize its monitoring tools and aids NAI staff in incorporating 
new concepts into the following year’s annual compliance reviews. 


Many of the changes to members’ privacy disclosures in 2018 were the result of members 
responding to action items and feedback provided by NAI staff, or members proactively 
disclosing a new product or technology. The 2018 compliance team relied on the Privacy 
Disclosures Scanner to focus more specifically on verifying that changes discussed with 
evaluated member companies were incorporated in their privacy disclosures. 
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In 2018, the NAI Privacy Disclosures Scanner captured over 2300 snapshots of privacy 
policies, monitoring over 340 pages. 


NAI staff continues to acknowledge that members face the difficult task of explaining to 
consumers in a concise, yet clear and meaningful manner what data they are collecting 
and using for digital advertising. The NAI also recognizes that members must balance the 
need to be concise with the need to provide thorough disclosures. NAI staff applies its 
extensive knowledge of the industry, understanding of the Code, and expert judgment in 
determining the relative adequacy of the disclosures in a member's privacy policy from an 
NAI compliance perspective. 


Investigating Consumer Communications 


The NAI website provides a centralized 
mechanism for consumers to ask questions and In 2018 the NAI received over 
raise concerns about member compliance with the 5 


Code (§ IIl.C.1.). 


2000 consumer queries through 
its website or via email. 


In 2018, the NAI received and reviewed 2000 

queries through its website and 77 contacts via 
telephone. NAI staff determined that, as in the 
past, a vast majority of the inquiries received did not pertain to issues within the scope of the 


NAI's mission. For example, many communications were questions from users about junk email, 
attempts to reach the publishers of specific websites, or other issues not covered by the Code. 


Approximately 10 percent of consumer inquiries were related to the NAI, the NAI Code, 
or NAl member companies. The majority of these inquiries were requests for assistance 
in troubleshooting technical issues with IBA opt outs, particularly in cases where browser 
controls blocked third-party cookies, ISP/workplace Internet filters or anti-virus software 
prevented opt-out cookies from being set on the consumer's browser, or temporary 
connectivity issues such as latency and connection speed led to malfunctions. 


All consumer communications received by the NAI in 2018 that could be resolved by the 
NAI as part of its compliance reviews were promptly resolved by NAI staff. There were 
no consumer allegations of member non-compliance with the Code that NAI staff 
determined to be material in nature. 


Investigating Other Allegations and Complaints 


In addition to the NAI’s own monitoring and research, NAI staff also scrutinized a 
variety of other sources for potential instances of member non-compliance, including 
published articles, public allegations by privacy advocates, complaints to the NAI by 
third parties or other NAI members, and investigations by other regulatory bodies. 
In 2018, NAI staff conducted one investigation based on public allegations of potential 
non-compliance with the Code."® 
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ANNUAL REVIEW 


As part of their membership obligations, NAI 
members are required to annually undergo 
reviews of their compliance with the Code by NAI 
compliance staff. 


In 2018, the NAI reviewed 


92 member companies. 


During the 2018 annual compliance review, NAI staff reviewed the 92 companies that were 
members from January 1 through December 31, 2018.1? These members are referred to as 
“evaluated member companies” throughout this report. Those members that joined the NAI 
after January 1, 2018” were already subject to an extensive review during the calendar year as 
part of the on-boarding process, and therefore were not part of the 2018 annual compliance 
review. Those members will be assessed again during the 2019 annual review process.” 


Training 


In 2018, the NAI provided a number of training and educational sessions for its 
members, including webinars and staff visits to member company offices. 


The NAI hosted two webinars, in coordination with legal experts, to help educate members 
about the effects of privacy legislation in Europe and California. NAI staff also hosted two 
educational webinars to explain member obligations when collecting or using data for digital 
advertising on connected televisions, coinciding with the publication of the NAI’s Guidance 
on Viewed Content Advertising. 


In total, the NAI held four all-rmember calls or webinars throughout 2018, including 
educational calls featuring legal and technology experts. NAI staff also made numerous 
visits to member company offices in order to provide in-person education regarding Code 
requirements and ongoing developments in the industry. 


Written Questionnaire and Supporting Documentation 


Evaluated member companies submitted written responses to the 2018 compliance 
questionnaire, which was revised to conform with the enforcement of the 2018 Code of Conduct. 
The questionnaire required evaluated member companies to describe their business practices 
and policies in relation to the requirements of the Code and NAI Guidance documents. Where 
relevant, the questionnaire also requested that evaluated member companies provide supporting 
documentation such as sample contract language, links to specific disclosures, and lists of cookies 
or other identifiers. Building on information obtained from prior reviews, this questionnaire also 
covered policies governing Personalized Advertising practices; contractual requirements imposed 
on business partners concerning notice and choice around Personalized Advertising activities; 
other protections for data collected and used for Personalized Advertising purposes, such as data 
retention schedules; and processes for oversight and enforcement of contractual requirements. At 
the end of the compliance review period, the NAI required members to sign attestation forms to 
confirm that their responses continued to be accurate to the best of the member's knowledge. 
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A minimum of two NAI staff members reviewed each evaluated member company’s 
questionnaire responses and related materials to assess compliance with the Code together 
with representations about business practices available from the evaluated member company’s 
public and non-public materials. These materials generally included news articles, the member 
company’s website, privacy policies, terms of service, and sample advertising contracts. 


Interviews 


Following the review of questionnaire submissions and other supporting materials, at 

least two members of NAI staff interviewed representatives from every evaluated member 
company. These interviews were conducted primarily with high-level legal, management, or 
engineering representatives of evaluated member companies. NAI staff explored the business 
practices of evaluated member companies, and wherever necessary clarified questionnaire 
responses that appeared to be incomplete, vague, unclear, or raised questions based on the 
NAI's own review of a company’s business model. As appropriate, the NAI compliance team 
also queried technical representatives about data flows, opt-out functionality, data retention 
policies and procedures, and technologies used for Personalized Advertising. 


Conducting interviews with all evaluated member companies provides the compliance team 
with additional in-depth insight into each company’s products, especially as new business 
models and technologies continue to emerge. This integrated view of the industry, resulting 
from direct engagement and regular contact with over 100 companies comprising a significant 
portion’ of the third-party advertising technology ecosystem, greatly increases the staff's 
ability to flag potential privacy issues for members and shapes NAI staff recommendations 
regarding future guidance and policies. The candor reflected in both compliance 
questionnaire and interview responses is only possible due to the mutual trust between NAI 
members and the organization. 


These interviews also offer an opportunity for the compliance team to provide best practice 
suggestions for evaluated member companies. During these calls staff reminded evaluated 
member companies to perform frequent checks of their Opt-Out Mechanisms to ensure they 
function correctly. NAI staff also suggested steps evaluated member companies should take 
when working with third-party data providers, to help ensure that data comes from reliable 
sources. The NAI often provided recommendations on alternative language for privacy 
disclosures, based on NAI staff's collective experience reading hundreds of member privacy 
policies, as well as the disclosures of a multitude of web and app properties. 


Attestations 


After the completion of the questionnaire and interview process, and as a final step in the 
annual compliance review, evaluated member companies were required to attest in writing to 
their ongoing compliance with the Code. Evaluated member companies were also required to 
attest to the veracity of the information provided during the review process.” 
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| EVALUATED MEMBER COMPANIES 


33Across 
AcuityAds 
Adara 
AddThis 
Adobe 
AdRoll 
Amobee 
Apollo 
AppNexus 
Appreciate 
BazaarVoice 
Beeswax 
Bouncex 
Choozle 
Clickagy 
Collective 
Conversant 
Criteo 
Cross Pixel Media 
Cuebig 
DataXu 
Datonics 
Drawbridge 
EMX 
Exelate 
Exponential 
Eyeota 
EyeView 
Factual 
Flashtalking 
Freckle 


Fysical 
Google 
GumGum 
Ignition One 
IHS Markit 
Index Exchange 
inMarket 
Innovid 
Intent Media 
Kargo 

KBM Group 
Krux 
Lotame 
Magnetic 
Media.net 
MediaMath 
Microsoft 
MIG 

MiQ 
Narrativ 
Netmining 
Netseer 
Neustar 
NinthDecimal 
Numberly 
Oath 
OneMarket 
Oracle 
Outbrain 
OwnerIQ 
Parrable 


PlacelQ 
Pubmatic 
Pulpo 
PulsePoint 
Qualia 
Quantcast 
Rakuten Marketing 
Retargetly 
Reveal Mobile 
RhythmOne 
Rubicon 

RUN 
SambaTV 
ShareThis 
Signal 
Simpli.fi 
Sizmek 
Skyhook 
Steelhouse 
Taboola 
TapAd 

The Trade Desk 
Throtle 

Turn 
Undertone 


Varick Media 
Management 


Viant 
Vibrant 
Xaxis 
Yahoo! 
Yieldmo 
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2018 
ANNUAL REVIEW 
FINDINGS 


The Code requires the NAI to publish the results of its annual review, 
providing an opportunity for the NAI to summarize members’ compliance 
with the Code and NAI policies (Code § III.B.4.). The following section 
presents the findings of NAI staff with respect to the 2018 annual review. This 
section also more fully summarizes the obligations imposed by the Code, but 
does not restate all principles and requirements set forth in the Code, and as 
such it should not be relied upon for that purpose. The full Code, including 
definitions of relevant terms, can be found through the links provided in this 


report or on the NAI website. 
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—@ EDUCATION 


Key Requirements: 


(Code § II.A.) 


Members should use reasonable 
efforts to individually educate 
consumers about Personalized 
Advertising, and are required to 
collectively maintain an NAI website 
for the same purpose. 


Review Method: 


NAI staff reviewed member 
websites to assess educational 
components in privacy policies and 
elsewhere on the sites. 


NAI staff monitored member 
contributions to the NAI's 
educational public service 
advertising campaign. 


NAI staff interviewed members to 
assess other educational and public 
service efforts. 


Findings: 


All members collectively educated consumers through the provision of 
the NAI website, which serves as a centralized portal for explanations 
of Personalized Advertising and associated practices, as well as for 
providing consumer access to choice mechanisms. 


NAI staff found that evaluated member companies provided 
information regarding the technologies used for Personalized 
Advertising, as well as a clear link to a consumer choice page. In 
addition, NAI staff found that multiple evaluated member companies 
provided separate consumer education content outside their privacy 
disclosures or opt-out pages. These pages were dedicated to 
explaining the evaluated member's Personalized Advertising activities 
and provided consumers with an easy-to-locate choice mechanism. 


A number of NAI members donated impressions to the NAI’s public 
service advertising campaign, resulting in over 170,000 consumer visits 
to the NAI website. 


Several NAI members also play key roles in the Federation for Internet 
Alerts (FIA), which uses digital advertising technology for the common 
good, distributing life-saving information to the right viewers at the 
right time, including such crucial communications as missing child 
Amber Alerts and severe weather warning. Other NAl members 
participated in programs such as Data for Good, providing the 
scientific community with access to limited data sets which can improve 
models to enhance evacuation planning and execution in disaster 
areas or optimize city planning and transportation. Through their 
contributions to the NAI’s education campaign, as well as through 
informational material on their own websites, evaluated member 
companies collectively invested considerable effort and resources 
to educate consumers about Personalized Advertising while also 
using advertising technology to benefit society. 
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—@ TRANSPARENCY AND NOTICE 


Key Requirements: 


(Code § I1.B.1.) 


Each member is required to provide clear, meaningful, 
and prominent notice on its website that describes the 
member's data collection, transfer, retention, and use 
practices for Personalized Advertising and Ad Delivery 
and Reporting, as well as links to or descriptions of Opt- 
Out Mechanisms and attestations of NAl membership 
and compliance with the Code. 


(Code § II.B.2.) 


Members that use standard interest segments for 
Personalized Advertising that are based on health-related 
information or interests are required to disclose such 
segments on their websites. 


(Code §8 II.B.3-4.) 


Members that have direct contracts with website or 
mobile app publishers with which they engage in 
Personalized Advertising are required to take steps 

to contractually require those publishers to provide 
users with notice of third-party data collection and use 
for these purposes, the types of data collected, and a 
conspicuous link to or a description of how to access an 
Opt-Out Mechanism. 


(Code § I1.B.6.) 


Members are required to provide, or support the 
provision or implementation of, notice of Personalized 
Advertising data collection and use practices and the 
NAlI-supported choices available to users, in or around 
advertisements that informed by such data. 


Review Method: 


NAI staff used technical monitoring tools to identify 
changes to member company privacy disclosures on a 
regular basis. Staff reached out to member companies 
when those changes appeared to remove required 
disclosures or indicated material changes to the 
company’s products and practices. 


NAI staff assessed the privacy policies and other privacy- 
related disclosures of evaluated member companies 

in juxtaposition with the Personalized Advertising and 
Ad Delivery and Reporting practices described in each 
company’s annual interview, its corporate site, responses 
to the annual compliance review questionnaire, business 
model changes discovered through ongoing technical 
monitoring, and news articles. Where appropriate, the 
NAI offered evaluated member companies suggestions 
to make privacy disclosures clearer and easier to 
understand. 


NAI staff reviewed the websites of evaluated member 
companies to determine if they met the obligation to 
provide “prominent” notice. 


NAI staff reviewed sample contractual language provided 
by evaluated member companies to confirm that these 
contracts included appropriate requirements for website 
and mobile app publishers to provide users with “pass- 
on” notice of Personalized Advertising data collection 
and use. 


NAI staff questioned evaluated member companies 

to ensure that they provide or support the provision or 
implementation of notice in or around ads informed by 
Personalized Advertising. 


NAI staff questioned evaluated member companies to 
determine if those companies used standard segments 
based on health-related information, and then reviewed 
those companies’ websites to help ensure that such 
segments were disclosed. 
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Findings: 


NAI staff found that all NAI 

member companies provided 
privacy policies that described 

their respective Personalized 
Advertising and ADR practices. 
Compared to previous reviews, 
Member Companies continued to 
provide more thorough and easier 
to understand disclosures regarding 
data collection and use in mobile 
apps, as well as clearer explanations 
of Cross-Device Linking practices, as 
applicable. 


NAI staff worked with member 
companies to provide feedback 
and suggestions when disclosures 
were not clear in given areas. In 
those instances when a required 
disclosure was missing or 
inadequate, evaluated member 
companies worked with NAI staff to 
provide updates in a timely manner. 


NAI staff found that all evaluated 
member companies provided 
easy-to-find links to their privacy 
disclosures in the footer or 
header of the homepage of 

their websites, and that nearly all 
evaluated member companies 
provided separate and distinct 
links, directly on the home pages 
of their sites, pointing to opt-out 
instructions for users. In several 
instances when new graphic 
designs or features on a website 
impacted the prominence of a link 
to privacy disclosures, NAI staff 
worked with members to address 
the issue in a timely manner. 


NAI staff found that evaluated 
member companies complied 
with the requirement to provide 
disclosures of any standard health- 
related audience segments in a 
variety of formats. Some member 
companies provided disclosures of 
all standard audience segments, 
regardless of topic, while some 
instead provided preference 
managers or other tools that 

not only allowed users to view 
available segments but also 
enabled granular control for 
those consumers who wished (or 
did not wish) to receive targeted 
ads on specific topics. Many 
other companies provided these 
disclosures through links from 
the privacy or marketing sections 
of their sites. As in prior years, 
NAI staff noted that compliance 
with this requirement continues 
to improve from year to year with 
more complete and accessible 
disclosures resulting from prior 
discussions with NAI staff. 


A review of evaluated member 
companies’ sample partner 
contracts indicates that these 
companies included appropriate 
contractual requirements regarding 
user notice and choice, when 
possible, while working directly 
with website and application 
publishers. NAI staff advised 
several member companies to also 
include contractual requirements 
for partners to provide a link to an 
industry opt-out page on a going- 
forward basis, if such requirements 
were not already present. 
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NAI staff found that many 
evaluated member companies 
conduct due diligence on 
websites and applications 

where they sought to conduct 
Personalized Advertising activities, 
when initiating a relationship with 
those partners. Some evaluated 
member companies trained their 
sales teams to evaluate such 
notice when onboarding new 
partners, and some member 
companies did not do business 
with partners unwilling to include 
the requested notice. Many 
evaluated member companies 
also perform random follow-up 
checks of their partners. A number 
of evaluated member companies 
reviewed thousands of publishers 
for the required disclosures. 


NAI members continued to 

lead industry efforts to provide 
real-time notice and choice to 
consumers in and around the ads 
delivered to them by serving a 
form of enhanced notice, such as 
the YourAdChoices icon which 

is served in nearly all targeted 
ads. Those evaluated member 
companies that offer technology 
platforms, and only facilitate the 
collection of data by their clients 
for IBA or CAA, provided their 
clients with the ability to include 
this notice on their advertisements 
through their own platform 
settings. 
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—@ USER CONTROL 


Key Requirements: 


(Code § II.€.1.) 


The level of choice that members must provide is 
commensurate with the sensitivity and intended use 

of the data. This includes provision of an Opt-Out 
Mechanism for the use of DII for Personalized Advertising 
(a), robust notice for the merger of PII with DII to be 
collected on a going forward basis for Personalized 
Advertising (b), obtaining a user's Opt-In Consent 

for the merger of PII with previously collected DII for 
Personalized Advertising (c), and obtaining a user's Opt-In 
Consent for the use of Precise Location Data, Sensitive 
Data, or Personal Directory Data for Personalized 
Advertising (d-f). 


(Code § II.€.2.) 


An Opt-Out Mechanism for a member's web-based 
Personalized Advertising shall be made available on both 
the member's website and on the NAI website. 


(Code § 11.0.3.) 


While a browser or device is opted out of Personalized 
Advertising by a member, that member shall cease data 
collection on the opted-out device for Personalized 
Advertising use on any other browser or device 
associated through Cross-Device Linking, and shall cease 
Personalized Advertising on the opted-out device using 
data collected on any other browser or device associated 
through Cross-Device Linking. 


(Code § II.C.5.) 


The technologies that members use for Personalized 
Advertising purposes shall provide users with an 
appropriate degree of transparency and control. 


Review Method: 


Throughout the year, NAI staff monitored member 
company Opt-Out Mechanisms present on the NAI 
website to help ensure that these mechanisms functioned 
correctly. 


NAI staff performed in-depth manual reviews of member 
company Opt-Out Mechanisms present on the NAI 
website and the member company’s own website to 
help ensure that these mechanisms functioned correctly, 
including the expiration dates of opt-out cookies. 


NAI staff reviewed the instructions provided by members 
for opting out of Cross-App Advertising through 
applications or platform-provided choice mechanisms. 


In those instances where an evaluated member company 
engaged in Cross-Device Linking, NAI staff confirmed 
with the member company that opt outs met NAI Code 
requirements and the effect of opt outs on Cross-Device 
Linking was clearly explained to users by the company. 


NAI staff reviewed detailed questionnaires, required 

of all evaluated member companies, regarding 

the functionality of their Opt-Out Mechanisms, the 
technologies used for Personalized Advertising, and 
the purposes for any unique identifiers existing after an 
opt out. These responses were referenced during each 
member company’s annual interview. 


In those instances where an evaluated member company 
engaged in activities that required the provision of robust 
notice or obtaining a user's Opt-In Consent, NAI staff 
reviewed such notice and consent mechanisms to help 
ensure their adequacy under the Code. 


Findings: 


All members engaged in web- 
based Personalized Advertising 
provided opt outs on both their 
own websites and the NAI industry 
opt-out tool. NAI testing indicated 
that these opt outs functioned 
correctly during a vast majority of 
the time. In the several instances 
where NAI staff discovered 
glitches or malfunctioning links, 
these were addressed by affected 
member companies within a 
reasonable timeframe, typically 

in less than a week. In all such 
cases, NAI staff determined that 
the malfunction was unintentional, 
appeared in limited locations and/ 
or for a limited time period, and 
did not affect a significant number 
of users. 


NAI staff found that any cookies 
used by NAI members after an opt 
out were used only to maintain 
the user's opt-out status or for 

Ad Delivery and Reporting, as 
permitted by the Code. Staff also 
found that all opt-out cookies 
were set to expire at least five 
years in the future, and often many 
years beyond that. In all of the few 
instances where opt-out cookies 
appeared to fall short of the 
required five-year timespan, this 
was on account of leap years, and 
staff advised members to account 
for such discrepancies. 


NAI staff found that all evaluated 
companies that were engaged in 
Cross-Device Linking appeared 

to provide opt-outs that met NAI 
requirements for disassociating 
the opted-out device from 

other devices for Personalized 
Advertising purposes, and 

that these member companies 
provided disclosures explaining 
the opt out'’s effect on Cross- 
Device linking. In those instances 
where evaluated member 
companies’ disclosures could have 
benefited from additional clarity in 
this area, staff provided guidance 
on how disclosures could provide 
further clarity. 


NAI staff found that all evaluated 
member companies engaged in 
Cross-App Advertising provided 
an easy-to-use consumer choice 
mechanism. Staff found that 

the vast majority of evaluated 
member companies provided 
clear disclosures around such 
mechanisms, often pointing to the 
NAI’s own detailed instructions 
for users who wish to enable 
privacy controls on their mobile 
devices. In those instances where 
evaluated member companies’ 
disclosures could have benefited 
from additional clarity in this area, 
staff provided guidance on how 
disclosures could provide such 
clarity, for example by including 
more detailed instructions on where 
in their device's settings users can 
find the relevant privacy controls. 
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NAI staff found that all evaluated 
member companies engaged in 
the collection and use of Precise 
Location Data for Personalized 
Advertising obtained Opt-In 
Consent, or reasonable assurances 
that the party collecting the data 
obtained such consent on the 
member's behalf under the DAA’s 
guidance on this topic.” Staff 
found that the vast majority of 
evaluated member companies 
provided clear disclosures around 
the collection of Precise Location 
Data and the choices available 

to users with respect to such 
collection. In those instances 
where evaluated member 
companies’ disclosures could have 
benefited from additional clarity in 
this area, staff provided guidance 
on how disclosures could provide 
further clarity. 


NAI staff found that nearly all 
evaluated member companies 
did not engage in the collection 
of PII for Personalized Advertising 
or the merger of such data with 
DII collected for Personalized 
Advertising. Where applicable, 
NAI staff evaluated the robust 
notice provided by evaluated 
member companies, and/or the 
Opt-In Consent obtained by 
member companies engaged 

in the merger of PII with DII 

for Personalized Advertising 
and found that they met Code 
requirements. 
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User Control Findings, continued 


NAI staff found that nearly all evaluated member companies did not engage in the use of Sensitive Data for 
Personalized Advertising. Where applicable, NAI staff evaluated the Opt-In Consent obtained by member 
companies engaged in the use of such data for Personalized Advertising and found that it met Code 


requirements. 


NAI staff found that no NAI members engaged in the collection of Personal Directory Data for Personalized 


Advertising purposes, and thus did not evaluate any Opt-In Consent mechanisms used for such data collection. 


NAI staff found that all evaluated member companies using Non-Cookie Technologies for web-based 


Personalized Advertising provided adequate disclosures around this topic and were integrated with the NAI's 
Opt-Out Mechanism for the use of Non-Cookie Technologies. 


—@ USE LIMITATIONS 


Key Requirements: 


(Code § II.D.1.) 


Members shall obtain verifiable 
parental consent for the creation of 
Personalized Advertising segments 
specifically targeting children under 
13 years of age. 


(Code § II.D.2.) 


Members shall not use, or allow 
the use of, data collected for 
Personalized Advertising or ADR 
for the purpose of determining 

or making eligibility decisions 
regarding employment, credit, 
health care, or insurance, including 
underwriting and pricing. 


Review Method: 


NAI staff reviewed detailed 
questionnaires, required of all 
evaluated member companies, and 
interviewed members, regarding 
Personalized Advertising segments 
specifically targeting children under 
13 years of age. 


NAI staff reviewed detailed 
questionnaires, required of all 
evaluated member companies, and 
interviewed members regarding the 
use of data for eligibility decisions. 


Findings: 


All evaluated member 
companies indicated 
awareness of the sensitivity 
of data related to children 
for Personalized Advertising, 
and all confirmed that they 
do not specifically target 
children under 13. 


All evaluated member 
companies indicated 
awareness of the sensitivity 
of the use of data for 
eligibility decisions, and all 
confirmed that they do not 
use, or allow the use of, data 
for such purposes. 


—@ TRANSFER RESTRICTIONS 


Key Requirements: 


(Code § II.E.1.) 


Members shall require any partners to which they 
provide PII for Personalized Advertising and ADR 
purposes, adhere to the provisions of the Code 
concerning PIl. 


(Code § II.E.2.) 


Members shall require all parties to which they provide 

DII not attempt to merge such DII with PII held by the 
receiving party or to otherwise re-identify the individual 

for Personalized Advertising purposes without obtaining 
the individual's Opt-In Consent. This requirement does not 
apply if the DII is proprietary data of the receiving party. 
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Review Method: 


NAI staff reviewed detailed questionnaires, required 
of all evaluated member companies, and interviewed 
members regarding the transfer restrictions in place 
when members share data with third parties. 


Findings: 


All evaluated member companies indicated 
awareness of the restrictions that must be placed 
on data transferred to third parties, and all attested 
that they place such restrictions on applicable data 
transfers either explicitly or implicitly. 


DATA ACCESS, QUALITY, SECURITY, AND RETENTION 


Key Requirements: 


(Code § II.F.1.) 


Members retaining PII for Personalized Advertising, and 
not offering an Opt-Out Mechanism to exclude such PII 
from Personalized Advertising, shall provide users with 
reasonable access to that PII and other information that 
is associated with the PIl, retained by the member for 
Personalized Advertising purposes. 


(Code § II.F.2.) 


Members shall conduct appropriate due diligence to 
help ensure they obtain data used for Personalized 
Advertising from reliable sources that provide users with 
appropriate levels of notice and choice. 


(Code $ II.F.3.) 


Members that collect, transfer, or store data for use 
in Personalized Advertising and ADR purposes shall 
provide reasonable security for that data. 


(Code § II.F.4.) 


Members shall retain DII and PII collected for use in 
Personalized Advertising and ADR only as long as 
necessary to fulfill a legitimate business need, or as 
required by law. 
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Review Method: 


NAI staff found that nearly all evaluated member 
companies did not engage in the collection of PII for 
Personalized Advertising or the merger of such data 

with DII collected for Personalized Advertising. Where 
applicable, NAI staff confirmed that evaluated member 
companies provided an Opt-Out Mechanism for their 
use of PII for Personalized Advertising and/or reasonable 
access to this data through consumer-facing portals. 


NAI staff reviewed detailed questionnaires, required of all 
evaluated member companies, and interviewed members 
to help confirm that all evaluated member companies 


NAI staff reviewed detailed questionnaires, required of 
all evaluated member companies, to help confirm that 
all evaluated member companies provide reasonable 
security for data collected for Personalized Advertising 
and ADR purposes. 


NAI staff reviewed detailed questionnaires, required of all 
evaluated member companies, and interviewed members 
to help confirm that all evaluated member companies 
retain data only so long as a legitimate business need 
exists, and that each evaluated member company’s 
disclosures reflect such finite retention periods accurately. 
In the case of cookie-based data collection, NAI staff 
manually examined the expiration dates of evaluated 


obtain data only from reliable sources. 


Findings: 


NAI staff found that while the vast 
majority of evaluated member 
companies did not engage in 

the collection or use of PII for 
Personalized Advertising purposes, 
in the rare instances where it was 
applicable, evaluated member 
companies provided an Opt-Out 
Mechanism for such data and/or 
user access to this data through 
consumer-facing portals. 


Evaluated member companies 
overwhelmingly reported 
conducting due diligence on 
data sources to help ensure their 
reliability, including reviewing 
the potential partners’ business 
practices, particularly when those 
partners were not members of 
the NAI and thus could not be 
counted on to have undergone 


member companies’ cookies and posed additional 


questions when those cookies’ lifespans exceeded the 


stated retention periods. 


the same compliance review. 

In the few instances where 
members did not fully understand 
Code requirements regarding 
data quality, NAI staff offered 
suggestions and best practices to 
help them develop due diligence 
processes in this respect. 


All evaluated member companies 
attested that they complied with 
the obligation to reasonably secure 
data. There were no publicly 
reported data breaches regarding 
Personalized Advertising or 

ADR data by evaluated member 
companies during the 2018 
compliance review period. 


All evaluated member companies 
confirmed their data retention 
policies, and explained the 
legitimate business uses for their 
respective retention periods, which 


were also stated in the members’ 
privacy disclosures. In several 
instances evaluated member 
companies had inadvertently 
removed retention policies from 
disclosures during updates, 

but these were quickly spotted 

by NAI staff and the members 
corrected the error within a 
reasonable timeframe. In those 
instances where evaluated member 
companies utilized rolling retention 
periods that update each time a 
browser is encountered, NAI staff 
provided guidance to help clarify 
relevant disclosures. NAI staff also 
used this opportunity to encourage 
members to reduce their data 
retention periods where possible, 
and a number of evaluated 
member companies agreed 

to shorter retention timelines as 

a result 
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—@ ACCOUNTABILITY 


Key Requirements: 


(Code § III.A.2.) 


Members should designate at least one individual 
with responsibility for the managing of the member's 
compliance with the Code and to provide training to 
relevant individuals within the company. 


(Code § III.A.3.) 


Members shall publicly and explicitly disclose their 
membership in the NAI and their adherence to the 
NAI Code. 


(Code § IlI.€.1.) 


Members shall provide a mechanism through which users 
can submit questions or concerns about the company’s 
collection and use of data for Personalized Advertising 
and shall make reasonable efforts, in a timely manner, 

to respond to and resolve questions and concerns that 
implicate the company’s compliance with the Code. 


Findings: 


Review Method: 


NAI staff spoke with at least one individual at each 
evaluated member company to ensure that such an 
individual was designated by the companies with 
responsibility for the managing of the member's 
compliance with the Code and providing training to 
relevant individuals within the company. 


NAI staff reviewed each evaluated member company’s 
disclosures to ensure that every member company 
publicly and explicitly disclosed its membership in the 
NAI and its adherence to the Code. 


NAI staff verified that all evaluated member companies 
provided a mechanism through which users could 
submit questions or concerns, and where relevant, sent 
a series of pseudonymous “consumer” emails to gauge 
the member's responsiveness and timeliness of such 
responses. 


There was at least one individual at each evaluated member company who filled out the annual compliance 


questionnaire and spoke with NAI staff during the company’s compliance interview. 


Evaluated member companies overwhelmingly met the requirement to publicly disclose their membership 
in the NAI and compliance with the Code. The few evaluated member companies that were unclear in their 
public disclosure of NAl membership and adherence to the NAI Code worked with NAI staff to improve these 


disclosures. 


After three rounds of testing consumer question mechanisms, NAI staff noted an average response time under 
two days. 70% of members responded after the first round of testing, 94% of members responded after the 
second round of testing, and 100% of members responded after the third round. This demonstrates continued 
improvement over prior reviews, and the NAI will work with members to further. 
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—@ INVESTIGATIONS AND SANCTIONS 


Overview: 


A thorough initial qualification process, coupled with 
the annual compliance assessment process, use of 
technology to flag and address issues quickly, and the 
availability of strong sanctions should members fail 

to comply, combine to form the keystone of the NAI 
self-regulatory program. The NAI also firmly believes 
that identifying problems early and giving member 
companies an opportunity to resolve minor issues 
related to the Code allows members to be more 

candid during compliance reviews and enables them 

to address these potential issues before they can affect 
the broader population. This approach fosters an 
environment of mutual trust between the NAI and its 
members, and ultimately results in enhanced privacy 
protection for consumers as members become more 
open about potential shortcomings and more willing to 
participate in self-regulatory efforts. Ultimately, sanctions 
and enforcement function primarily as a deterrent 
against noncompliance and as a means of ensuring 
responsiveness from member companies, rather than as 
a demonstration of the NAI’s compliance efforts through 
detailed disclosure of every issue discovered by NAI staff. 


NAI staff investigates private and public allegations 

of noncompliance. Staff also search for evidence of 
noncompliance in the reports generated by the NAI's 
monitoring tools. In the event that NAI staff find, during 
any of the compliance processes, that a member company 
may have materially violated the Code, the matter may 

be referred to the Compliance Committee of the Board 

of Directors with a recommendation for sanctions. Should 
the Committee determine that a member has materially 
violated the Code, the full NAI Board of Directors may 
impose sanctions, including suspension or revocation of 
membership. The NAI may ultimately refer the matter to 
the FTC if a member company refuses to comply. The NAI 
may also publicly name a company in this compliance 
report, and or elsewhere as needed, when the NAI 
determines that the member materially violated the Code. 


Investigations: 


NAI staff conducted three investigations of potential 
material violations of the Code during the 2018 
compliance review period. In each case, NAI staff found 
that the companies in question did not materially 

violate the Code and that incomplete information or 
misunderstandings caused the investigations, and 
consequently sanctions procedures were not appropriate. 


Investigation One 


The first NAI investigation involved a potentially 
malfunctioning Opt-Out Mechanism provided by 

a member company on its own website and on the 

NAI website. This company initially relied on another 

NAI member company’s technology for Personalized 
Advertising as well as for consumer choice. Proprietary 
technology issues caused occasional technical 
malfunctions which led the Opt-Out Mechanism to not 
work correctly when a user tried to opt out of only this 
one member company. However, because nearly all users 
of the NAI Opt-Out Mechanism select the option that 
allows them to opt out of all member companies at once, 
through the use of a prominent button on the page, those 
users would be opted out of the company providing 

the underlying technology to the member in question, 
effectively opting them out of both companies. 


To address this problem, the member in question 
developed its own opt-out technology that functioned 
as a “belt and suspenders” approach and set a second 
opt out directly from this member, which would signal to 
them not to use the second company’s technology for 
Personalized Advertising. Thus, the user would be opted 
out of both the company supplying the Personalized 
Advertising technology, and the company using that 
technology. In practice, either of these two opt outs 
would have been sufficient to opt the user out of this 
company’s Personalized Advertising activities, outside of 
two isolated advertising campaigns that did not leverage 
the partner's technology. 
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When integrating its own “belt and suspenders” opt 

out as a backup in the event of failures with the primary 
opt out provided by its technology partner, the member 
company left the additional opt out in the “staging” 
portion of the NAI site, and did not move this opt out 

to the “production” version of the site, thus making it 
unavailable to consumers. The NAI discovered this issue 
during testing and the company moved quickly to address 
the issue, providing both opt outs as part of its Opt-Out 
Mechanism. 


Because the problem was inadvertent, resolved rapidly 
once discovered, and because only a very limited subset 
of users would have been affected by the issue, NAI staff 
determined that it was not a material violation of the Code 
and that sanctions would not have been appropriate. 


Investigation Two 


The second NAI investigation also involved a potentially 
malfunctioning Opt-Out Mechanism provided by 

a member company on its own website and on the 

NAI website. NAI staff noted during testing that the 
company’s Opt-Out Mechanism was, in certain browsers 
rotating the user ID rather than setting a generic opt-out 
value as required by the NAI, and in other browsers the 
opt-out value did not extend the lifespan of the cookie 
to the five year minimum required by the NAI. 


Upon investigation by the NAI and the member company, 
it was determined that this issue only occurred in a testing 
environment, when a user had two tabs open, one on 

the NAI site and one on the company’s own site. A race 
condition between the opt-out action on the NAI site 

and the regular tracking script on the company’s own site 
causing the cookie to revert to a user ID, with a six month 
expiration period, rather than a generic opt-out value 

and a five year lifespan. Once notified of the issue, the 
company resolved the problem in its technology. 


Because the problem was inadvertent, resolved rapidly 
once discovered, and was unlikely to occur in normal use 
outside of testing, NAI staff determined that it did not rise 
to the level of a material violation of the Code and that 
sanctions would have been inappropriate. 
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Investigation Three 


The third NAI investigation stemmed from a public 
settlement by an NAI member tied to alleged violations 
of the Children’s Online Privacy Protection Act (COPPA). 
After a public announcement of the member company’s 
settlement, NAI staff investigated with the company to 
help ensure that no violations of the NAI Code were 
implicated. 


The NAI’ investigation revealed that the allegations did 
not apply to the use of audience segments specifically 
aimed at children, and as such fell outside the scope of 
the NAI Code. Nonetheless, recent developments have 
helped led to revisions in the NAI Code of Conduct 

with regard to children’s data, and to the formation of a 
working group to address how NAI members can further 
help protect the privacy of minors. 


Accordingly, NAI staff determined that no violation of the 
Code took place, and that sanctions would not have been 
appropriate. 


Investigations Summary 


The NAI's approach to compliance helped fix issues 
expeditiously, while reserving sanctions primarily for 
instances in which member companies are unwilling to 
make requested changes or fail to cooperate with NAI 
staff, thus helping to ensure the viability of the digital 
advertising ecosystem. 


Similarly to prior annual reviews, NAI staff found a 
number of lesser potential problems with several member 
companies. These member companies willingly resolved 
each issue raised by NAI staff. Often, affected member 
companies implemented additional measures voluntarily, 
to reduce the likelihood of future noncompliance. Based 
on its historical approach to minor infractions, typically 
caused by misunderstandings or technical glitches, NAI 
staff worked with members to resolve issues before they 
became material violations of the Code. 
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SUMMARY OF FINDINGS 


NAI staff found that in 2018 evaluated member companies overwhelmingly complied with 
the Code, and that to the extent that any potential violations were identified, they were not 
material in nature. 


Evaluated member companies demonstrated that they remain vigorously committed to 

the NAI's self-regulatory framework. Representatives from evaluated member companies 
welcomed feedback and best-practice suggestions from NAI staff, signaling their commitment 
to providing and building a top-notch privacy protection program. 


This report validates the role of the NAI's Code and self-regulatory process 


in promoting consumer privacy in the digital advertising industry. The NAI 
continues to update its Code and guidance to keep pace with technological 
developments and changing norms, culminating most recently in the publication 
of the 2020 NAI Code of Conduct, which is scheduled to go into effect in January 
2020. This new Code will greatly expand the scope of the NAI’s compliance 
program and will provide many new privacy protections for users in the realm 

of device sensors, location data, sensitive data, and offline data use for digital 
advertising. NAl members continue to devote valuable resources to cooperate in 
the NAI's thorough annual reviews of their policies and practices. The common 
goal is to ensure that members adhere to privacy principles embodied in the 
NAI Code and guidance when offering new and existing products, even at a 


time of global and domestic regulatory uncertainty. 
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At a time when the nature of digital advertising is being questioned and 
reconsidered in Europe, in several US states, and on a federal level, it 
is even more important for self-regulatory efforts in the US to clearly 
demonstrate that a thoughtful and flexible self-regulatory approach can 


provide robust consumer privacy protection while also allowing digital 
advertising technology, and the Internet economy more broadly, to 
flourish. Perhaps most importantly, the NAI’s approach aims to preserve 
free and equal consumer access to a bounty of diverse content online. 


In 2018, the NAI performed one of its largest compliance reviews yet, with 92 evaluated 
member companies, while separately reviewing eleven additional companies who were 
accepted as new members during the year. Through this review, NAI staff closely monitored 
the digital advertising ecosystem, staying current with the latest developments and 
challenges, which translated directly into the publication of the 2020 Code of Conduct. The 
feedback loop of drafting policy to preserve and enhance consumer privacy in the digital 
advertising ecosystem, while conducting annual reviews of the companies that compose a 
large portion of this market, allows the NAI to not only identify the most pressing and timely 
issues and challenges, but also to address them in a swift and effective manner, which it will 
continue into the next decade. 


At a time when the nature of digital advertising is being questioned and reconsidered 

in Europe, in several US states, and on a federal level, it is even more important for 
self-regulatory efforts in the US to clearly demonstrate that a thoughtful and flexible self- 
regulatory approach can provide robust consumer privacy protection while also allowing 
digital advertising technology, and the Internet economy more broadly, to flourish. Perhaps 
most importantly, the NAI’s approach aims to preserve free and equal consumer access to a 
bounty of diverse content online. 
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To that end, the NAI is devoting a large part of its compliance resources in 2019 to member 
education regarding the 2020 Code of Conduct, and the many new requirements present 

in that document. NAI staff and its Board of Directors are also working on new guidance for 
members regarding Precise Location Data, and how advertising technology companies can 
help provide additional notice to users, consistent with new requirements in the 2020 Code, 
and going beyond current messaging in platform-provided consent mechanisms. The NAI is 
also working on additional guidance around data collection or use on websites targeted to 
children, as the 2020 Code increases the age threshold from thirteen to sixteen. The NAI is 
further expanding its public policy efforts and outreach on a state and federal level, speaking 
with regulators and legislators alike to inform them about the intricacies of digital advertising, 
the most pressing privacy concerns in this area, and how self-regulation can work as a 
foundation and essential piece of additional federal regulation or state and federal legislation. 
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ENDNOTES 


1 IBA is defined in the Code as “the collection of data across web domains owned or operated by different entities 
for the purpose of delivering advertising based on preferences or interests known or inferred from the data collected” 
(Code § I.F.). Since 2015 the NAI has also formally applied the Code’s IBA requirements to the practice of Retargeting, 
defined as “the practice of collecting data about a browser's or device's activity in one unaffiliated web domain or 
application for the purpose of delivering an advertisement based on that data in a different, unaffiliated web domain or 
application” (Code § I.M.). 


2 The Code imposes requirements with respect to Ad Delivery & Reporting, (ADR). ADR is defined in the Code as 
“the collection or use of data about a browser or device for the purpose of delivering ads or providing advertising- 
related services, including, but not limited to: providing a specific advertisement based on a particular type of browser, 
device, or time of day; statistical reporting, traffic analysis, analytics, optimization of ad placement; ad performance, 
reach, and frequency metrics (e.g., frequency capping); security and fraud prevention; billing; and logging the number 
and type of ads served on a particular day to a particular website, application, or device” (Code § 1.A.). 


3 The Code covers activities that occur in the United States or affect consumers in the United States. While the 
NAI encourages its members to apply the high standards of the Code to their Personalized Advertising and ADR 
activities globally, the NAI only evaluated US-based Personalized Advertising and ADR activity for the purposes of this 
compliance report. Unless noted otherwise, all references to the NAI Code refer to the 2018 NAI Code of Conduct, 
which can be found at: https://www.networkadvertising.org/sites/default/files/nai_code2018.pdf. 


4 The Code defines CAA as “the collection of data across applications owned or operated by different entities on a 
particular device for the purpose of delivering advertising based on preferences or interests known or inferred from the 
data collected” (App Code § |.B.). 


5 Personalized Advertising is defined in the Code as “a collective term for Interest-Based Advertising, Cross-App 
Advertising, and Retargeting, as well as any combination of these practices” (Code § I.J.). 


6 NAI membership spans various technology platforms, including demand side platforms (DSPs), supply side 
platforms (SSPs), data management platforms (DMPs) and audience management platforms (AMPs). While the NAI’s 
self-regulatory process applies only to member companies, the NAI encourages all companies that are part of the 
advertising technology ecosystem to join its program. 


7 A 2014 study shows that offering relevant advertising to visitors benefits smaller websites, providing essential 
revenue to the “long tail” of web content. See J. Howard Beales & Jeffrey A. Eisenach, An Empirical Analysis of 
the Value of Information Sharing in the Market for Online Content (2014), http://www.aboutads.info/resource/ 
fullvalueinfostudy.pdf 


8 Guidance for NAI Members: Viewed Content Advertising can be found at: https://www.networkadvertising.org/ 
sites/default/files/nai_guidance_viewedcontentadvertising.pdf. 


9 The 2020 NAI Code of Conduct can be found at: https://www.networkadvertising.org/sites/default/files/nai_ 
code2020.pdf. 


10 The General Data Protection Regulation can be found at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/ 
?uri=CELEX:32016RO679&from=EN. 


11 The California Consumer Privacy Act can be found at: https://leginfo.legislature.ca.gov/faces/billTextClient. 
xhtml?bill_id=201720180AB375. 


12 Rachel Glasser, NAI Board member and Chief Privacy Officer at Wunderman, provided testimony before the 
House Energy & Commerce Committee in June of 2018. This testimony can be found at: https://docs.house.gov/ 
meetings/IF/IF17/20180614/108413/HHRG-115-IF17-Wstate-GlasserR-20180614.pdf. 


13 Hearings on Competition and Consumer Protection in the 21st Century, held by the Federal Trade Commission, 


can be found at: https://www.ftc.gov/news-events/events-calendar/ftc-hearing-6-competition-consumer-protection- 
21st-century. 
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14 More information on the Transparency and Consent Framework can be found at: https://iabtechlab.com/ 
standards/gdpr-transparency-and-consent-framework/. 


15 Opt-Out Mechanism is defined under the Code as “an easy-to-use mechanism by which individuals may exercise 
choice to disallow Interest-Based Advertising with respect to a particular browser or device.” (Code § |.J.; App Code § I.K). 


16 The NAI urges applicants and member companies to consult with their own technology and legal experts when 
reviewing the privacy implications of products and business plans. 


17 The following eleven companies completed the new member application process and became NAI members in 
2018: AlikeAudience, AuDigent, Branch, Clicksco, Clinch, DataPlusMath, Nativo, Place Exchange, SafeGraph, Twine, 
and Weborama. 

18 See Investigations and Sanctions infra pp. 26. 

19 The following companies were reviewed in 2017 but were not among evaluated member companies in 2018: 

a. Accuen, Aggregate Knowledge, Arbor, Atlas, Audience Trust, Brightroll, RadiumOne, Rocketfuel, Tagular, 
TubeMogul, and YuMe, were no longer independently engaged in Personalized Advertising operations in the United 
States. These companies terminated their NAl memberships and did not complete the 2018 annual compliance review. 

b. Comet, Defy Media, TruEffect, and Videology ceased operations altogether in 2018. 

ra Eyereturn, and iBotta, did not renew their NAl memberships in 2018. 


20 See supra, note 17. 


21 NAI staff makes an effort to review its newest member companies first during the subsequent annual review, in order 
to minimize the time between a member's initial membership application review and its first annual compliance review. 


22 Ifa member has an agreement with a partner to collect data on the partner's site or app for Personalized Advertising 
purposes, the member is obligated to require through its contractual provisions that the partner provide notice to the 
user and a link to an Opt-Out Mechanism (Code §§ II.B.3-4.). This requirement is discussed more fully below. 


23 NAI member companies represent 8 of the top 10 Ad Networks according to the comScore Ad Focus Rankings 
(Desktop Only) last published in December 2018, available at: https://www.comscore.com/Insights/Rankings. 


24 One member company, Magnetic, completed all other parts of its 2018 NAI compliance review but ceased 
operations before being able to complete its attestation form for the year. 


25 As described above, with the Privacy Disclosure Scanner, the NAI monitors member privacy disclosures to ensure 
that members do not inadvertently remove language required by the Code. 
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